Hey everyone,
I recently came across a strange situation while managing a new client's Server 2022 setup. After taking over from a previous IT group, we found that all group policies, including the Domain Default Policy (DDC) and Domain Default Controller Policy (DDCP), are completely missing. This revelation hit us when the staff requested an update to the password policy, which highlighted the absence of these key policies. We didn't notice anything wrong initially, which is a lesson learned for all future client takeovers.
The setup includes Hyper-V running a single VM Domain controller with their practice data. We also have backups from the previous IT on an external hard drive. After booting up the oldest VM backup, we found the same issue—suggesting the previous IT was aware of the problem but never addressed it. When we reached out to them for help, they shrugged it off as no longer their concern.
I've tried some troubleshooting steps recommended by Microsoft, including using the "dcgpofix" command to restore the missing group policies, but without luck. It seems we can't easily migrate the current domain to another server without carrying over these issues. My main plan now is to build a new server from scratch with the same domain name, transfer user accounts, and utilize Forensit for a smooth transition.
I'm looking for advice on two fronts: has anyone experienced missing group policies on a domain controller, and if so, how did you resolve it? Also, do you think my strategy of rebuilding the server is sound? Any input would really help!
4 Answers
Have you thought about creating a demo domain to recreate the DDP and DDCP alongside the current setup? If you're using a central GP store, check that the DDP and DDCP are in the correct folder in SYSVOL. Try moving them and then running dcgpofix again—it might help.
I haven't faced this exact issue, but I support the idea of starting fresh with a new domain, just don’t use the old name to avoid future complications. You might be able to address the current GPO issue, but it’s probably best to not risk chasing problems down the line.
Yeah, we were considering that option too. We just rebuilt the test server and copied over the essential files.
I've dealt with something similar recently. Start by checking if DFSR has a backlog - sometimes it shows one without throwing errors. Also, make sure there are no lingering references to the old DC in ADDS or DNS. I had to dive into the registry to enforce an authoritative DFSR replication with the current DC as the source. You can also get the DC to rebuild its own DDC and DDCP folders via GUI, but your other policies might be a lost cause unless you get creative. Also, be careful with reusing the same domain name when you set up the new server—DNS issues can be a real headache!
Thanks for the tips! We actually built a new VM with the same name and copied the SYSVOL folder over from the backup. That brought back our Group Policy management interface, and now we can rebuild the policies as needed!
So just to clarify, your SYSVOL directories for the GPOs are empty now? That’s rough! It sounds like the previous IT might have accidentally wiped them clean. Glad to hear you managed to fix it, though!
Exactly! The SYSVOL was intact, but nothing was inside. Now that it's resolved, I feel more at ease.
We did just that, created a temporary VM and copied over the newly created SYSVOL. It worked! Now we're on the lookout for any other potential issues.